fix(cron): normalize flat legacy job rows

[vincentkoc]

Summary

• normalize stored flat legacy cron rows with top-level cron, tz, session, and message into canonical schedule, sessionTarget, and payload
• preserve legacy tools as payload.toolsAllow and remove the obsolete top-level flat fields from the normalized in-memory shape
• add regression coverage for both direct normalization and store-load recompute so startup/list paths do not crash on missing nested .kind

Fixes #43351.

Related to #38766 and #57640.

Validation

• pnpm test src/cron/normalize.test.ts src/cron/service/store.load-missing-session-target.test.ts src/cli/cron-cli/shared.test.ts
• OPENCLAW_LOCAL_CHECK=0 pnpm check:changed

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	DoS risk: legacy flat schedule hydration enables extremely frequent schedules (everyMs/cron) without minimum interval validation

1. 🟠 DoS risk: legacy flat schedule hydration enables extremely frequent schedules (everyMs/cron) without minimum interval validation

Property	Value
Severity	High
CWE	CWE-400
Location	src/cron/normalize.ts:147-515

Description

The new legacy hydration path inferTopLevelSchedule() copies top-level schedule-like fields into next.schedule and passes them through coerceSchedule(), but no minimum interval or frequency validation is enforced.

This makes it possible for attacker-controlled or corrupted stored job rows using legacy flat fields (e.g., everyMs: 0, everyMs: 1, or high-frequency cron expressions) to be normalized into an active schedule and then executed extremely frequently, potentially causing CPU exhaustion / tight execution loops.

Key points:

• inferTopLevelSchedule() blindly copies at/atMs/everyMs/anchorMs/expr/cron/tz/staggerMs from the raw object when present.
• coerceSchedule() normalizes fields and deduces kind, but does not enforce sane lower bounds for everyMs or validate cron frequency.
• Downstream scheduling clamps everyMs to a minimum of 1ms (e.g., Math.max(1, ...)), which is still effectively an abusive schedule.

Vulnerable code:

for (const field of ["at", "atMs", "everyMs", "anchorMs", "expr", "cron", "tz", "staggerMs"]) {
  if (field in next) {
    schedule[field] = next[field];
  }
}
...
next.schedule = inferredSchedule;

If cron job definitions can be influenced by untrusted users (API input) or by tampering with persisted job specs (store), this can be used to trigger resource exhaustion by creating jobs that are due continuously.

Recommendation

Enforce schedule safety constraints during normalization (and ideally also at persistence boundaries):

• Reject or clamp everyMs below a safe minimum (commonly >= 1000ms or a configurable minimum).
• Validate cron expressions and reject schedules that would run more frequently than the minimum allowed cadence.
• Consider rejecting ambiguous combinations even when kind is specified (e.g., kind:"cron" but everyMs also present).

Example (enforce a minimum interval in coerceSchedule() for every):

const MIN_EVERY_MS = 1000;
...
if (next.kind === "every") {
  const everyMsRaw = coerceFiniteScheduleNumber(schedule.everyMs);
  if (everyMsRaw === undefined || everyMsRaw < MIN_EVERY_MS) {
    throw new Error(`invalid everyMs: must be >= ${MIN_EVERY_MS}`);
  }
  next.everyMs = Math.floor(everyMsRaw);
}

And for cron, compute the next two run times and enforce that the delta is >= the minimum cadence, rejecting expressions that violate the policy.

---

Analyzed PR: #71534 at commit c0b8596

_{Last updated on: 2026-04-25T10:30:43Z}

[greptile-apps]

Greptile Summary

This PR adds normalization for legacy flat cron job rows (where cron, tz, session, message, and tools live at the top level rather than nested under schedule/payload) so that the startup and list paths do not crash on missing nested .kind. The implementation correctly infers a nested schedule from kind/cron/tz, maps session → sessionTarget, lifts message → payload, migrates tools → payload.toolsAllow, and strips all obsolete top-level fields via stripLegacyTopLevelFields.

Confidence Score: 5/5

This PR is safe to merge — no logic errors or regressions found.

The normalization pipeline is correct: inferTopLevelSchedule correctly reads top-level kind/cron/tz fields and converts them via the existing coerceSchedule helper (which already handles cron → expr aliasing). session → sessionTarget mapping is guarded by the existing normalizeSessionTarget validator. tools → payload.toolsAllow fallback uses ?? correctly with the allowNull: true sentinel. stripLegacyTopLevelFields cleanly removes all migrated fields. The two new test cases (direct normalization and store-load recompute) provide solid regression coverage. No P1/P0 issues identified.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(cron): normalize flat legacy job row..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c0b8596051

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add "Thanks @author" attribution to changelog entry

The new changelog bullet is missing contributor attribution, which violates the repo rule in AGENTS.md that says every added entry must include at least one Thanks @author. This is likely to be flagged during maintainer review and makes the release note inconsistent with the required changelog format.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Strip top-level expr when normalizing legacy cron rows

inferTopLevelSchedule now accepts flat legacy expr values, but the legacy-field stripping block does not remove next.expr. That leaves an extra top-level expr after normalization, so cron.add/cron.update requests using flat legacy expr still fail schema validation (additionalProperties: false) even though a canonical schedule.expr was produced.

Useful? React with 👍 / 👎.